UK email marketing rules

September 2023

Is email marketing putting your business as risk?

Hardly a month goes by without an announcement from the UK’s Information Commissioner’s Office of another business being fined for falling foul of the email & SMS marketing rules.

It continues to surprise me that some marketing and communications teams haven’t heard of the Privacy and Electronic Communications Regulations. They’ve been around since 2003 (far longer than GDPR) so businesses really have no excuse. Of course, there will always be some who want to try and get away with it.

Under PECR there are specific rules for direct marketing by telephone, email and SMS, plus rules for cookies and similar technologies.

Here I’m going to focus on email marketing. The same rules apply to SMS and to other ‘electronically stored’ marketing messages, including picture or video messages, voicemail, in-app messages and personal messaging on social media.

Consent for business-to-consumer (B2C) marketing emails

Unless using the exemption below, you must collect consent before you send email marketing to what are termed individual subscribers. This definition covers people who personally subscribe to their email service provider. For example people who give you their personal gmail, hotmail or btinternet email address.

Soft opt-in exemption for business-to-consumer (B2C) marketing emails

There’s an exemption to consent for B2C email marketing, commonly known as the soft opt-in. This can only be used if the following criteria are met:

  • The individual’s contact details are collected during the course of a sale (or negotiations of a sale) of a product or service
  • An opportunity to refuse or opt-out of the marketing is given at the point of collection and in every subsequent communication AND
  • You only send marketing about your own similar products and services.

See PECR Regulation 22 and the ICO’s Guide to PECR

Marketing emails to business contacts (B2B)

The rules on consent and the soft opt-in exemption do not apply to what are termed corporate subscribers. A corporate subscriber is described by the ICO as any corporate body (an entity with a separate legal status) with its own phone number or internet connection.

For example, my work email address has the domain <name>@dpnetwork.org.uk. DPN Associates pays for this service, not me as an individual. Businesses don’t legally need consent to contact me at my DPN business email address. To quote the ICO on this:

“The PECR rule on direct marketing by electronic mail does not apply to corporate subscribers. For example, this means you can send B2B direct marketing emails or texts to any corporate body. You do not need their consent under PECR to send such messages.”

A couple of key points to bear in mind:

  • A named business contact will still fall under the definition of personal data. Therefore B2B marketing to named individuals must comply with UK GDPR.
  • Sole traders and some partnerships technically fall under the definition of individual subscribers, where consent or the soft-opt-in exemption would be required.

The right to object

Everyone has the absolute right to object to direct marketing. This applies to both B2C and B2B marketing communications. Marketing emails should always have an unsubscribe link or clear instructions how to opt-out. Businesses also need to make sure everyone who has opted-out of emails is not included again.

Global email marketing

If you’re a UK-based company sending marketing emails outside the UK, you’ll need to check the rules in the destination country. The rules in the recipients’ country will apply. The rules in Germany, for example, are stricter than they are in the UK. Rules differ across Europe and the rest of the world for B2C and B2B email marketing.

What about UK GDPR?

Once you’ve got the PECR rules straight, you need to also consider what’s necessary to comply with UK GDPR. For example you should be transparent about your activities, fulfil the right to be informed, the right to object to direct marketing and so on. You also need to identify a lawful basis for your marketing activities and meet the requirements of this lawful basis.

Consent

If you’re relying on consent under PECR, the ICO tells us consent must meet UK GDPR’s standards. In other words, consent should be ‘freely given, specific, informed and unambiguous’ and must be given by the individual with a ‘clear affirmative action’.

One of the big changes under GDPR was the consent requirement became far stricter. It’s worth double-checking you’re meeting them. Consent – are you getting it right?

Legitimate Interests

If you don’t have to rely on consent, your other option is legitimate interests. There is a handy table in the ICO’s legitimate interests’ guidance under Can we use legitimate interests for our marketing activities?, which sets out when consent is required and when legitimate interests may be appropriate.

It shouldn’t be a throwaway decision to rely on legitimate interests. GDPR requires you to carefully balance the legitimate interests of your business with the ‘rights and freedoms’ of the people you’re going to market to.

You need to take care to make sure the rights of those whose data you’re collecting are not undermined by your business legitimate interests. We’d advise completing a Legitimate Interests Assessment (known as a balancing test) and keeping a record of this.

Other areas to be mindful of

  • Disguising a marketing message as a service message. Businesses will often need to send service messages by email for administrative or customer services purposes. These can be sent to everyone provided they only contain essential factual information for your customer. Such as confirming an order, confirming a delivery date/time, and so on. However, if there’s any promotional content, for example an upsell or cross-sell message, they will be deemed to be direct marketing messages and then PECR will apply. See Marketing and Service Messages
  • Asking for permission to send marketing by email is deemed to be a marketing message in itself. So you can’t email people to ask them to consent to marketing.
  • ‘Hosted’ emails; this is where you use another organisation to promote your products or services to their database. This could cause a problem if you are judged to be the ‘instigator’ of these emails, especially in a B2C context, and valid ‘named’ consent wasn’t collected, i.e. your business wasn’t named when the other organisation collected consent.

The above are all areas the ICO has taken action in the past.

On the face of it, email marketing rules might seem a minefield of terms; consent, soft opt-ins, opt-outs, legitimate interests, sole traders and corporate subscribers.

But once the rules are embedded into marketing teams’ heads and ways of working, it can make life easier and reduce the chances of unknowingly violating them and risking a fine.